Skillset

Modern forms of markup languages such as HTML, XML and XHTML are mostly used in designing web pages.

XML, which stands for Extensible Markup Language, defines a set of rules for encoding documents in a format that can be read by both humans and machines.1

XML has some known advantages which makes it a universal and secure language. These advantages include the ability to store data independent of whether a system is software or hardware.

Another advantage of XML is its ability to present and make data available to devices such as smartphones and digital telephone booths. XML supports the consistent encoding and handling of text, allowing most data outputs in any written human language to be presented.

Web technologies have greatly advanced, presenting users with both benefits and vulnerabilities. XML, too, has its fair share. This article will introduce the basic structure of XML and then shed some light on the external entity attack.

XML File Document Structure

The Extensible Markup Language (XML) 1.0 fifth edition, which is a W3C recommendation, states each XML document has a physical and a logical structure.

Physical structure: The physical structure of the document is made up of storage units called entities. Each entity has a name, content and may refer to other entities to cause their inclusion in the document.

Logical structure: The logical structure of the document is made up of comments, elements, declaration and processing instruction.

XML File Declaration

Mostly, if used, the first line of an XML file is the declaration. This identifies the document as being XML and allows it to be parsed by the processor — a software module used to read the document.

These are the encoding names of the most popular character sets in use now. An extensive list is available at: https://www.iana.org/assignments/character-sets/character-sets.xml

Standalone

Yes or no

This declaration determines whether the document contains any external entities. If there are no external entities, the value is set to “yes” and then “no” when there are dependencies on external entities.

What Is a Document Type Declaration (DTD)?

The document type declaration immediately follows an XML declaration. It checks the validity of the structure of XML documents against some predefined rules of an XML language. It also provides the location of the DTD. The declaration is known as internal when the backbone of an XML document is declared within the XML files and external when the same backbone is declared outside the XML files.

What Does an Internal DTD Look Like?

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes” ?>

<!DOCTYPE geolocation [

<!ELEMENT geolocation (latitude, longitude, temperature)>

<!ELEMENT latitude (#PCDATA)>

<!ELEMENT longitude (#PCDATA)>

<!ELEMENT temperature (#PCDATA)>

]>

<geolocation>

<latitude>14.5° North</latitude>

<longitude>20.8° West</longitude>

<temperature>39°Celcius</temperature>

</geolocation>

What Does an External DTD Look Like?

<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes” ?>

<!DOCTYPE geolocation SYSTEM “geolocation.dtd“>

<geolocation>

<latitude>14.5° North</latitude>

<longitude>20.8° West</longitude>

<temperature>39°Celcius</temperature>

</geolocation>

The content of the DTD file address geolocation.dtd is shown below:

<!ELEMENT geolocation (latitude, longitude, temperature)>

<!ELEMENT latitude (#PCDATA)>

<!ELEMENT longitude (#PCDATA)>

<!ELEMENT temperature (#PCDATA)>

What Is an XML External Entity Attack?

An XML external entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.2

The attack may lead to the exposure of sensitive and confidential data, or access to free or usable TCP/UDP ports.

How Does an XML External Entity Attack Work?

The attacker prepares an XML message together with a DTD as shown below. This message commonly includes an XXE that reads a locally stored file, for example “/etc/geofile”

The attacker sends the prepared XML message to the web application on the IP address 192.168.0.2

The web application processes the incoming XML message. It parses the DTD, resolves the XXE and then deals with the resulting XML

The web application sends an HTTP response to the attacker at 192.168.0.1. For a successful XXEA, this response must somehow contain the content of the locally stored file, for example, the “/etc/geofile” file.

Ethical Hacking Training – Resources (InfoSec)

How Can I Prevent XXE Attacks?

Considering the number of possibilities to mount an external entity attack, its prevention may not be that easy. Continuous training and use of pentesting tools may be a good way to keep developers updated on new attacks. Deploying web application firewalls may also act as an effective way to monitor and prevent these attacks.

This is, for instance, the case for the default Java XML parser. To mitigate XXE attacks, one has to configure the parser as follows:3

Conclusion

Leaving settings as default for most XML parsers will expose web applications to XML external entity attacks. This vulnerability can be used to unveil sensitive data and cause denial of service. Performing analysis and sometimes deep inspection of packets may reveal attempts to exploit this vulnerability. A good understanding of XML and the XXE attack will help system administrators protect their applications against this vulnerability.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

six + 2 =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam